(N 



A p-adic quasi-quadratic point counting 
algorithm 



oo 

o 
o t 

^ . Robert Carls, David Lubicz 

3 : June 27, 2008 



Robert Carls David Lubicz 

robert . carls@uni-ulm.de david. lubiczOuniv-rennesl . f r 

Institute of Pure Mathematics CELAR 

University of Ulm BP 7419 35174 Bruz Cedex 

D-89069 Ulm, Germany France 



Abstract 

In this article we give an algorithm for the computation of the number of 
, rational points on the Jacobian variety of a generic ordinary hyperelliptic 

^ ■ curve defined over a finite field ¥ q of cardinality q with time complexity 

t^)- ; O(n 2+o(1) ) and space complexity 0(n 2 ), where n = log(g). In the latter 

CO ■ complexity estimate the genus and the characteristic are assumed as fixed. 

O^l ' Our algorithm forms a generalization of both, the AGM algorithm of J.-F. 

Mestre and the canonical lifting method of T. Satoh. We canonically lift 
\Q . a certain arithmetic invariant of the Jacobian of the hyperelliptic curve in 

f*"^ ' terms of theta constants. The theta null values are computed with respect 

f**"*- , to a semi-canonical theta structure of level 2"p where v > is an integer 

■ and p = char(F 9 ) > 2. The results of this paper suggest a global positive 

answer to the question whether there exists a quasi-quadratic time algo- 
rithm for the computation of the number of rational points on a generic 

■ ordinary abelian variety defined over a finite field. 

b 

Keywords: point counting algorithm, canonical lift, theta function, p- 
adic method, CM construction. 



1 Introduction 

The study of the properties of non-singular projective algebraic curves over 
finite fields is a subject of central importance in algorithmic number theory and 
cryptography. It is well established that the Jacobian varieties of such curves 
constitute a suitable family of groups to be used in cryptographic protocols 
which are based upon the difficulty of solving the discrete logarithm problem. 
In order to avoid 'weak' Jacobians, i.e. Jacobian varieties which give a trivial 
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instance of the general discrete logarithm problem, it is necessary to precompute 
the number of rational points on a given Jacobian. This issue has prompted a 
lot of research, focused on the design of efficient point counting algorithms. 

Next we briefly recall how one can count points by computing the eigenvalues 
of the absolute Frobenius endomorphism on a Jacobian variety. We denote by 
¥ q a finite field with q elements. Let E be the g-th power Frobenius morphism 
acting on the algebraic closure ¥ q of ¥ q . Let C be a smooth projective curve 
of genus g over ¥ q , and let J(C) be its Jacobian. For a prime number £ not 
dividing q we denote by Te the ^-adic Tate module of J(C). The latter is a free 
Z^-module of rank 2g. Here 7Li stands for the £-adic integers. Let End(J(C)) 
be the ring of endomorphisms of J(C) and put End°(J(C)) = End( J(C)) <g) Q. 
There exists a canonical injective morphism pi : End (J(C)) — » Endjj^, {Ti ® Qe) 
which is called the £-adic representation of End (J(C)). Let F be the purely 
inseparable endomorphism of degree q 9 of J(C) given by the action of E on 
geometric point coordinates (xi, . . . ,X n ) i— ► (x\, . . . , ). One would like to 
compute, in an efficient way, the characteristic polynomial \f of pe(F). One 
recovers the number of rational points of the Jacobian J(C) as xf(1 )• 

Broadly speaking, there exists two classes of point counting algorithms. On 
one hand, there are the so-called t-adic algorithms initiated by the work of R. 
Schoof [Sch85]. These algorithms compute the action of the Frobenius mor- 
phism on the group of f-torsion points for different primes £, where the latter 
£ are chosen coprime to the characteristic of the finite field. If the product 
over all £ is sufficiently big, then one can recover xf by the Chinese remainder 
theorem. Schoof's algorithm for elliptic curves behaves very well, due to the 
improvements by O. Atkin and N. Elkies [Sch95j |Elk98j . Cryptographic sizes 
still seem to be difficult to reach in genus 2 |GS04j and higher. A generalization 
of the method of R. Schoof, the complexity of which is polynomial in the genus, 
has been proposed by B. Edixhoven |Edi06j . On the other hand, there are the 
so-called p-adic methods, introduced by the work of T. Satoh [SatOQ]. These 
algorithms rely on the computation of the action of the Frobenius morphism 
on p-adic canonical lifts of certain arithmetic invariants, where p > is the 
characteristic of the finite base field. They have in common a bad behavior 
with respect to the characteristic p. ft is convenient to assess their complexity 
in terms of log(g), where q is the number of elements of the finite field ¥ q and 
where the characteristic p of the finite field is assumed as fixed. 

In the following we recall existing work about p-adic point counting al- 
gorithms. First, a series of al gorithmic improvements upon the algorithm of 
Satoh [Oau02llIJlr02bUHar02al[kPC + 02l[LI^3llVPV01j led to a quasi- quadratic 
time point counting algorithm for ordinary elliptic curves over finite fields. The 
special case of characteristic 2 was then interpreted by J.-F. Mestre in terms of 
a 2-adic analogue of Gauss' algebraic geometric mean. He gave a very elegant 
and simple quasi-cubic time point counting algorithm for ordinary elliptic curves 
over finite fields of characteristic 2 [MesOl] . The previously cited algorithmic 
improvements upon the algorithm of Satoh can also be applied to Mestre's algo- 
rithm, which results in a quasi-quadratic time point counting algorithm. Mestre 
has extended the scope of his algorithm by showing that the algebraic geometric 
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mean formulas can be considered as a particular case of the Riemann duplica- 
tion formulas for complex analytic theta functions Mes02j. His ideas led to a 
quasi-quadratic time point counting algorithm for ordinary hyperelliptic curves 
defined over a finite field of characteristic 2 [LD06J. Other p-adic algorithms 
were found by K. Kedlaya [Ke dOlj and A. Lauder [LW02 . Their algorithms 
are based on the computation of the action of a formal Frobenius lift on the 
Monsky-Washnitzer and the Dwork cohomology groups, respectively. 

The aim of this paper is to describe an algorithm for the computation of 
the number of points of a generic ordinary hyperelliptic curve over a finite field 
¥ q with q elements of characteristic p > 2 which has quasi-quadratic time and 
quadratic space complexity in terms of log p (g). We give two versions of our 
algorithm: a proven version of the algorithm, for which we are able to prove 
that it is correct and that it has quasi-quadratic time and quadratic space com- 
plexity, and a heuristic version of the algorithm, the proof of which relies on 
some yet unproven facts. 

The reason why we give both algorithms is that, due to the smaller constant 
term in the complexity estimate of the heuristic algorithm, it performs much 
faster than the proven algorithm for field sizes which are actually used in the 
applications. We have strong computational evidence that also the heuristic 
version of the algorithm is correct. Our method follows the point counting 
strategy of J.-F. Mestre, which relies on the computation of arithmetic invariants 
of canonical lifts using the coordinate system provided by the theta null values 
associated to an abelian variety with theta structure. In our case, the theta null 
point is computed with respect to a theta structure of level 2 u p where v > 1 
is an integer and p > 2 is the characteristic of the residue field. The results of 
this paper suggest a global positive answer to the question whether there exists 
a quasi-quadratic time and quadratic space algorithm for the computation of 
the number of rational points of a generic ordinary abelian variety over a finite 
field. 

Both versions of the algorithm consist of the following two main steps, ac- 
cording to the classical lift and norm paradigm. Let C be an ordinary hyperel- 
liptic curve over a finite field of characteristic p > 2 whose Jacobian is absolutely 
simple. 

1. First, one computes a certain arithmetic invariant associated to the canon- 
ical lift of the Jacobian variety of the curve C. The arithmetic invariant 
is given by the theta null point of a Jacobian of C with respect to a semi- 
canonical theta structure of level 2 v p with v > an integer. The lifting 
is done using a multivariate Henselian lifting algorithm applied to certain 
theta identities of level 2 v p and degree p 2 . 

2. Secondly, the norm of a certain quotient of theta null values attached to 
the canonical lift is computed. This value coincides with the product of 
the invertible eigenvalues of the absolute Frobenius endomorphism on the 
reduction. If one computes the canonical lift and the norm with sufficiently 
high precision, then it is straight forward to recover the characteristic 
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polynomial of the Frobenius morphism from the latter approximation of 
the norm. 

The only difference between the proven and the heuristic version of our algo- 
rithm lies in the choice of the parameter v of Step 1. In the heuristic version of 
the algorithm the parameter v is chosen to be equal 1. In the case that v = 3 
we are able to give a complete proof of correctness of the algorithm. 

This paper is organized as follows. In Section [5] we present some new theo- 
retical results that form the basis of our algorithm. 

• (Section 12. ip An important ingredient of our algorithm is given by theta 
relations of level 2 u p and degree p 2 , which describe the action of a square 
of the unique Frobenius lift on the Serre-Tate formal torus with respect 
to the coordinates given by the canonical theta structure Car07 . We 
remark, that the equations, which are described in Section 12.11 can also 
be used for CM construction in arbitrary characteristic generalizing the 
results of |CKL08j . 

• (Section 12. 2p We give equations which, together with the relations of Sec- 
tion 12.11 define the local deformation space of an ordinary abelian variety 
with a (2"p)-theta structure. Classically, equations in terms of theta con- 
stants defining the moduli space of abelian varieties are known if the level 
is divisible by 8 (see [Mum67[ §6]). 

• (Section I2.3[) It is well-known that the 4-theta null point of the Jacobian 
variety of a hyperelliptic curve can be computed using the Thomae for- 
mulas. One can extend the 4-theta null point to a (2 y p)-theta null point 
using the equations for level 2 v p that are given in Section 12721 

• (Section 12. 4|) We give a transformation formula which relates a certain 
quotient of theta null values of the canonical lift for level 2 v p with the 
product of the invertible eigenvalues of the absolute Frobenius morphism 
acting on the reduction. 

In Section[3]we give a point counting algorithm for generic ordinary hyperelliptic 
curves over a finite field of characteristic p > 2. In Section [4] we provide a 
detailed complexity analysis of the latter algorithm. In Section [5j we prove 
that a closed variety defined from the equations of Section 12.21 has dimension 
0. In Section [6] we give some examples that have been computed using an 
experimental implementation of our algorithm. 

Notations and complexity hypothesis. We will denote by ¥ q a finite field 
of characteristic p > having q elements. Let Z 9 denote the ring of Witt 
vectors with values in ¥ q and by Q q the field of fractions of 1 q . There exists 
a canonical lift a G Aut(Z g ) of the p-th power Frobenius morphism of ¥ q . If 
a is an element of Z 9 then we denote by a its reduction modulo p in ¥ q . We 
say that we have computed an element x £ Z g to precision m, if we we can 
write down a bit-string representing its class in the quotient ring r L q jp mr L q . In 
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order to assess the complexity of our algorithm we use the computational model 
of a Random Access Machine |Pap94| . We assume that the multiplication of 
two n-bit length integers takes 0{n^) bit operations. One can take fi = 1 + e 
(for n large), /i = log 2 (3) and \i = 2 using the FFT multiplication algorithm, 
the Karatsuba algorithm and a naive multiplication method, respectively. Let 
x, y £ Z 9 /p m Z g . For the following we assume the sparse modulus representation 
which is explained in |CFA + 06l pp.239]. Under this assumption one can compute 
the product xy to precision m by performing 0(log(g) M m A ') bit operations. 

2 Theta relations of level 2p 

In this section we give some original results that form the basis of our point 
counting algorithm. In order to do explicit canonical lifting it is necessary to 
find theta identities that describe the arithmetic invariants of canonical lifts. 
It is not difficult to make up a theta relation. A hard problem is to make a 
'complete' set of theta relations that is suitable for canonical lifting. We give 
such a complete set of equations in the following sections. Also we give a special 
theta relation, deduced from the classical transformation formula, which allows 
one to recover the eigenvalues of the Frobenius from the arithmetic invariant of 
the canonical lift. 

2.1 A local ^-correspondence 

Let R be a complete noetherian local ring with finite residue field F g of char- 
acteristic p > 0. Suppose that we are given an abelian scheme A over R which 
has ordinary reduction. Let J*f be an ample symmetric line bundle of degree 1 
on A. Assume that there exists a a £ Aut(i?) lifting the p-th power Frobenius 
automorphism of ¥ q . For m > 1 we set Z m = (Z/mZ) s where g is the relative 
dimension of A over R. 

Now assume that p > 2 and let n > 1 an integer with (n,p) = 1, i.e. n is 
coprime to p. Suppose that we are given a symmetric theta structure &2n of 
type Zi n for Jzf 2 ™ and an isomorphism 

Z P , R ^ A[pf\ (1) 

where A[p] ct denotes the maximal etale quotient of A[p\. By ( 'arOT Th.2.2] 

there exists a canonical theta structure O p of type Z p for the line bundle Jzf p 

which is uniquely determined by the isomorphism ([1]). Let &2np = ©2n x ©p 

be the semi-canonical symmetric product theta structure of type Z% nv for ££ 2n v 

(see |CKL081 §3.2]). 

We denote the theta null point with respect to the theta structure &2n P 

by (su)ugz 2 „ p ■ In the following we consider Z^, Z np and Z2 P as embedded 

compatibly into Z2 U p- Let S be the set of all 4-tuples (x, y, v, w) £ Z\ np such 

that the sets {x + y, x — y} and {v + pw, v — pw} are equal and contained in 
7 
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Theorem 2.1. There exists an uj € R* such that for all (x, y, v,w) £ S one has 

y ] a x+z a y+z = ^ y ] a v+pu a w +u- 

z^Z 2 uGZ 2p 

Proof. Assume that we have chosen an isomorphism 

Z p s tR ^ A\pY (2) 

which induces the trivialization (JXJ) if one restricts to Z p . The choice of the iso- 
morphism @ possibly requires a local-etale extension of the base. Nevertheless, 
the resulting formulas are defined over the original ring R. By |Car07[ Th.2.2] 
there exists a canonical theta structure 9 p 3 of type Z p 3 for the line bundle ££ v 
depending on the trivialization By [Carl Lem.2.1] the theta structures Q p a 
and Op are p 2 -compatible in the sense of [Carl Def.5.5]. By ( 'Kl.lH Lem.3.3] 
there exists a semi-canonical product theta structure &2np 3 = @2n X © p 3 of type 
Z 2np3 for «£? 2 ™p 3 . We remark that by |Car071 Th.5.1] and [CKL081 Lem.3.2] the 
canonical theta structure Q p 3 is symmetric. Hence by |CKL081 Lem.3.4] the 
theta structures 8 P , &2np, © P 3 and Q2np 3 form a compatible system. Because 
of the symmetry of the theta structure G>2n there exists a theta structure 0„ 
of type Z n for _£f" which is 2-compatible with 92n (see [Mum66, §2,Rem.l]). 
By the same reasoning as above there exists a semi-canonical product theta 
structure Q np = 0„ x Q p which is 2-compatible with &2np- 

Suppose that we are given a rigidification of the line bundle . We set 
V{Z m ) = Hom (Z„, n,On) for m > 1. Recall that V(Z m ) is the module of 
finite theta functions as defined in |Mum66l §1]. One can choose theta group 
equivariant isomorphisms 

Hi : ir^Sf* ^ ViZ,), 

where i G / = {np, 2np, 2np 3 } and where it : A — » Sp(i?) denotes the structure 
morphism. The isomorphisms fn induce finite theta functions q^i G V(Zi) 
where i G / . 

It follows from Corollary 12.51 taking i = j = 1 and m = —n = p that there 
exists a A G R* such that 

q&np (v + pw)q&n P (v - pw) = X ^ <Lx^v{v + pu)q^ 2np 3(w + u). 

u£Z 2p 

It follows by [CKL081 Th.2.4] and [Car] Th2.3] in conjunction with (Car] Lem2.2] 
and |CKL08| Lem.3.5] that 

E2 
q<Z? np ( v + pu)q^? np (w + u) a . (3) 

uGZ 2p 

Corollary 12.51 implies by means of the choice i = j = p and m = —n = 1 that 
there exists a A G R* such that 

qcgnp (x + y)q^ P (x-y)=X}^ q&mp (x + z)q%mp (y + z). (4) 

zez 2 
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By the assumption that (x, y, v, w) £ S, the left hand sides of the equations 
and ((4]) are equal. As a consequence, there exists an w S R* such that 

^2 <1j? 2 "p(x + z)qj?2 np (y + z) = u ^ 1^ 2 ^i v + pu)q^n P (w + u) a * . 

26Z2 uEZ 2p 

This completes the proof of the theorem. □ 
In the following we illustrate Theorem 12. ll bv some examples. 

Example g = 1, n = 1, p = 3: 

0100 + 0203 = Lu(aiciQ +0203 + 2ai02 + 2a2a" ) 

a,2aQ + aids = cj(2oiOi +0209 +0103 +20202 ) 

22 22 
03^3 + aoOo = cij(2aoa2 +0303 + 20301 + aoOp ) 

2 22 2 

^0^3 + a 3O0 — ^(^003 + 20302 + 0309 + 2aoOi ) 

Example g = 1, n = 1, p = 5: 

2 22 2 22 

0200 + 0305 = ^(20303 + 2aza1 +0200 +20204 +20202 +0305 ) 

22 2 2 22 

0205 + 0300 = cj(2o 2 03 +0205 +20304 +20303 + 2a 2 Oi +0300 ) 

222222 
0005 + 0500 = cj(aoOg + 20504 + 20003 + 20502 + 0500 + 2aoOi ) 

222222 
0400 + 0105 = a;(o40o + 2a\a1 + aiag + 20103 + 20404 + 20402 ) 

2 2 22 22 

0505 + aoao = a>(2aoa2 + la^al + 20004 + 0505 + 20503 + ooOq ) 

222222 
aiao + 0405 = w(aiOo + 20403 + 0405 + 2a\a1 + laxaf^ + 20401 ) 

2.1.1 A generalized theta multiplication formula 

In the following we give a generalized multiplication formula in the context of 
Mumford's algebraic theta functions. We only sketch a proof. For more details 
we refer to |Koi76| and [Kem89j . 

Let A be an abelian scheme over a local ring R and let £ denote the isogeny 
A 2 — > A 2 given by the matrix 

1 m 
1 n 

where m, n £ Z. Let i,j>l and / = {i, j, i+j, im 2 + jn 2 }. Assume that we are 
given an ample symmetric line bundle Jz? on A and compatible theta structures 
9 4 for ^ of type K t where iel.We set M itj = p\££ { ® p* 2 ^ J . 

Lemma 2.2. Suppose that im + jn = 0. Then one has 

£, = Afj_|_j ,im 2 +jn 2 ■ 
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Proof. Let (a, b) € A 2 . We define 

S\ : A — > A 2 , x t— > (a, x) and S2 : ^4 ~~ >■ £ l— * (#i b). 
One computes 

s^ij = s* 2 p\% 1 ® s* 2 p* 2 ^ = (p x o s 2 )*S£ l <g> (p 2 o s 2 )*J2« = 

where p/c : A 3 — > ^4 denotes the projection on the fc-th factor. Similarly, we have 
s*Mi,j = l£i ' . Also we have 

s&Mij = (Pi ° t *2)*^ ® (Pa o £ o s 2 )*^ = If m]6 JSf (» If n]6 JS« 
( = ] (T b *Jf im ® jgf-*(»»-i)) 8 (i»jsfi» g jgf-J(n-i)j 
= T h * j£ im +i n (g) = 

The latter equality follows by our assumption im + j'n = 0. The equality (*) is 
implied by the Theorem of the Square. Now take a — 0a where a denotes the 
zero section of A. Then one has 

4CM id = (pi o £ o ® (p 2 o £ o Sl )*jSf j 

The latter equality comes from the symmetry of the line bundle Jz? . The propo- 
sition now follows by applying the Seesaw Principle. □ 

Assume now that we are given n, m G Z such that im + jn = 0. There exists 
a product theta structure Qij of type Kij for .My where -Ky = Ki x ifj. 
On top of Lemma 12.21 one can verify that the theta structure imP+jn? is 
^-compatible with the theta structure Qij (compare Muni(i(i[ §3] and [CKL08, 
Lem.3.8]). Hence we can apply the Isogeny Theorem (see |Mum661 §l,Th.4]) in 
order to get the following general addition formula. 

Proposition 2.3. There exists a A G R* such that for all g G V(Kij) and 
(x, y) G K i+Jtim 2 +jn 2 we have 

Here we denote by V(Kij) the module of finite theta functions of type Kij. 
We define for x G K i+ j 

G x = {ye K im 2 +jn 2\£,{x,y) G K hj }. 

Here K im 2 + j n 2 and Kij are considered as subgroups of A and A 2 via the theta 
structures im?+jn? an d 9i,j> respectively. As a corollary of Proposition 
we get the following theorem. 
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Theorem 2.4 (General Multiplication Formula). There exists a A 6 R* such 
that for all x G Ki+j> fi £ V(ifi) and /2 £ V(Jfj) we have 

(/i*/2)0) = A fi(x +rny)f 2 (x + ny)q^ im 2 +jn2 (y). 
yeCx 

The ★-product is defined as in [Mum66, §3]. A proof of Theorem l2.4l in terms of 
the classical analytic theory is given in [Koi76|. In Kcm89 the author sketches 
a proof of the general multiplication formula over a field of positive charac- 
teristic. We remark that for i = j = m = —n = 1 one obtains Mumford's 
2-multiplication formula |Mum66l §3]. 

Corollary 2.5. There exists a A € R* such that for all (a, b) G Ki j we have 

f(x,y)=(a,6) 

2.2 Riemann's equations for level 2 u p 

We use the notation that has been introduced in Section |2~T1 Let R be a noethe- 
rian local ring, I > a prime and v > 1 an integer. Suppose we are given an 
abelian scheme A of relative dimension g over R. Assume that we are given 
an ample symmetric line bundle j£f of degree 1 on A and a symmetric theta 
structure of type Z 2 "e for the line bundle Jzf 2 " € where Zyt is as in Section |2~T1 
We denote the theta null point with respect to the theta structure 82^ by 
(a u ) ue z 2 vt- By symmetry we have a u = a_„ for all u £ Z 2 "t- 

The higher dimensional analogue of Riemann's equation for the case of a 
levcl-2 1 ^ theta structure is given by the following theorem. We consider quadru- 
ples (vi, Wi,Xi,yi) £ where i = 1, 2 as equivalent if there exists a permuta- 
tion matrix P G Mat^Z) such that 

(vi +101,1;! - wi,xi +yi,xi -yi) = (v 2 + w 2 ,v 2 -w 2 ,x 2 +y 2 ,x 2 ~y 2 )P. 

Let Z 2 be the character group of Z 2 . 

Theorem 2.6. For equivalent quadruples (v\, w±, X\, yi), (v 2 , W 2 , x 2 , y 2 ) £ Z^i 
and for all \ G Z 2 the following equality holds 

X! x(t)a Vl +ta Wl+t Y X( s ) a ^i+ s a?/i+s 
tez 2 sez 2 

= X! x(t)av 3 +tOw 3 +t Y x(s)a X2+s ay 2+s . 
tez 2 sez 2 

We refer to |Mum66[ §3] for a proof of this theorem. 

Example g = 1, p = 3, v = 1: 

= aia^a^ — 2a\a\ + 020003 

3 2 4224 3 2 

= O2O + aia O3 — a 2 — 2aia 2 — a i + oia 3 + 020003 
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Example g = 1, p = 5, v = 1: 



= — a 5 a 2 a 4 + a 2 a 4 + a 3 a 4 — a^pOs + Oi0 2 — a 5 aia 3 + a 1 a 3 — O2O a 4 

= — a^aoCi4 + 020304 — 050ia 4 + 010203 

= — O50oa3a 4 + 2ai0203a 4 — 05010200 

= —050200 + 2a\a\ — 050^03 

3 3 3 2 2 2 3 2 

= a 2 ao — 0103 + 0503 + 020003 + 050203 — aia3a 4 — a2a 4 — Oi02a 4 

2 2 2 2 2 2 

= — 2ai0203a 4 + a 5 ai03 — + 05010200 + O2O a 4 — a 2 a 4 + O5ao03a 4 

2 2 2 2 2 2 

= — a 5 a2a 4 + a 3 a 4 — 0500030,4 + Oi0 2 + 2ai0203a 4 — 05010200 — aia a3 
= OgOoa 4 — 1a\a\ + osOiOq 

= 020003 + 050^03 — Oi030 4 — Oi020 4 

= — OiOoa 4 + a^Ozt + aiOg — aoo 4 — 050^ — 050104 + 020 3 a 4 + aio 2 a3 

o a 9 o o <y o A 

= o 2 a — a 1 + a 5 a Q a 3 + a 5 a 3 + a 5 a 2 ao - 2aia 4 - a 4 
= OgOi — a 2 + Oq0 4 + a 5 aoa 4 — a 3 — 2a 2 a 3 + 050100 



2.3 Theta null points of level 2"p 

Let F q be a finite field of characteristic p > 2. Let A$ q be an ordinary abelian 
variety over ¥ q . Suppose that we are given a semi-canonical symmetric product 
theta structure 62^ = @2» X 9 P as in Section |2~T1 We denote the theta null 
point with respect to the theta structure Qi» by {a u ) u ^z 2V - We can assume 
that there exists a v G Z2" such that a v is a unit in Z g . Here Z?y is considered 
as a subgroup of via the map j pj. Let / be the ideal of the multivariate 
polynomial ring F g [x n |u G Ziv v \ which is spanned by the relations of Theorem 
12 . 61 taken modulo p, together with the symmetry relations a u = a_ u for all 
u G Z^p. Let J be the image of / under the specialization map 

¥ q [x u \u G Z 2 « p ] -> ¥ q [x u \u S Z 2 "p, 2"u 7^ 0], i„ h-> j ^ se " G ^ 2 . 

The following Theorem is proven in Section [5] 

Theorem 2.7. /f v > 2, i/iera i/ie idea/ J defines a 0- dimensional affine algebraic 
set. 

By the primitive clement theorem there exists /(x) G F g [:r] such that 

F fl [x tt |ueZ 2 « P) 2W0]/rad(J) ^F,[a;]/(/). 

The theta null point (a„) ue 2 2l , induces an element z G F g such that /(z) = 0. 
Generically, one can obtain the polynomial / by a Groebner basis computation. 
The Theorem 12.71 enables one to calculate the full theta null point (a u ) ue z^ p 
over F 9 from the knowledge of its 2 y -torsion part. As a consequence, by means of 
the well-known Thomae formulas and a Groebner basis computation algorithm, 



10 



one can produce arbitrary theta null points of level 2 u p, which correspond to 
ordinary hyperelliptic curves over ¥ q . 

We remark that in the case v — 1, we have computationally verified in many 
cases that the conclusion of Theorem 12.71 still holds. 



2.4 A generalized trace formula 

Let A be an abelian scheme over Z g . We assume that A has ordinary reduction 
and that it is the canonical lift of the reduction Af . Suppose that 02^ P — 
02" x O p is a semi-canonical symmetric product theta structure over Z g of type 
Zi" P for J*f 2 p . Let (a u ) u& z 2 ^ denote the theta null point with respect to the 
theta structure O^p- 

Let F € Endj- (Ap ) be the absolute Frobenius endomorphism of Ap , and 
let £ be a prime different from the characteristic p of F g . We denote the £-adic 
Tate module of A$ q by Tg(Aj ). Recall that the £-adic Tate module is a free 
Z^-module of rank 2g, where g is the dimension of A^ q . The absolute Frobenius 
morphism F induces a Z^-linear map pi(F) on Te(A$ ) which corresponds, once 
a basis of Tg(Af ) is chosen, to a (2g x 2g)-matrix Mp with coefficients in Z^. 
Because of the ordinary reduction, we know that Mp has precisely g Eigenvalues 
7i"i , . . . , TT g , which are units modulo p |Dem721 Ch.V]. 

Theorem 2.8. Suppose that is defined over Z q . Then the product tti- .. .-ir g 

is an element of the ring Z g and we have 

TTl • ■ ■ ■ ■ 7T g = N<Q g /Q p ( ^ ueZ2 " " j . (5) 

Here Z2» is considered as a subgroup of Z?y v via the map j 1— > pj. 

The rest of this section is devoted to the proof of Theorem 12.81 We first 
fix some additional notations. If ,5? is a line bundle on an abelian variety, we 
denote by the kernel of the isogeny A — > Pic^ induced by Jz? . Denote by 

Sf(»2? ) the theta group associated to Jzf (see |JVlum66i pp. 289]). For any positive 
integer n, we denote the Heisenberg group of type Z n by H(Z n ) [BL041 pp. 161]. 
Denote by Z n the dual of Z n , we have by definition TC(Z n ) = G m x Z n x Z n 
together with the group law defined by 

(a, x, I). {a 1 , x', I') = (a.a'l'{a),x + x', l.V). 

where (a, x,l) and (a',x',l') are points of TL{Z n ). 

During the course of the proof, as we are working with schemes over dif- 
ferent base rings, to avoid ambiguity, we recall the base ring in subscript. In 
particular, we let A — A% q , Jz? = _2z a and 02^ p = Oz g ,2"p- We recall that 
02> induces a decomposition -ftT(Jzf) = ifi(Jzf 2 " p ) x iT 2 (^f 2 " p ) into isotropic 
subgroups K\{££ 2 v ) and ^(-Sf 2 p ) for the commutator pairing. 

We fix an embedding -0 : C p — > C where C p is the completion of the algebraic 
closure of Q p [RobOO, Ch.3]. The base extended abelian variety Ac — A% q x^, 
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Spec(C) is a complex variety with a polarization _Sf c p denned by Jz?(? p — 
JSfj p gty C. We remark that if(ifc P ) 

comes equipped with a Lagrangian 
decomposition which is inherited from the theta structure 02"p,c = 02"p ® C 
From the above decomposition we deduce the period matrix (7T2) with / the 
g dimensional unity matrix and ft an element of H ff the g dimensional Siegel 
upper half space. In the following, for any f£ £ M g , we denote by An the 
lattice Z ff + SXl 9 . If we let A an = C 9 /An, we have an analytic isomorphism 
jan '■ Ac — > A an . Let k : C 5 — > C s /An be the canonical projection. 

We can suppose that Q, is chosen such that the p-torsion points of A an , 
given by k((1/j»).Z 9 ) corresponds via to a canonical lift of the maximal 
etale quotient of A% [p], where is identified to Ac via tp. 

For ei, 62, i £ Z, we define the theta function with rational characteristics as 



9i[ti](z,Sl)= exp[irt t (n+ e -fMn+ e -f) + 2m t (n+ e -f).(z+ e -l) . (6) 



Recall that {a u ) u£ z 2 ^ p denote the theta null point with respect to the theta 
structure &2» P - We have the 

Lemma 2.9. There exists a constant factor A £ C, x £ Z%v p a, character of 
order 2 and 5 £ Z<i, such that for all u £ Z^-p, 

K ®Q 9 C) = Ax(u)6 a . p [ u ° +5 ] (0, l/(2"p).n), (7) 

where Z2 is considered as a subgroup of Z2» p via the map j 1— » j2" p. 

Proof. From the theta structure ®z 2 u p of type Z^p we deduce immediately 
by tensoring with C a theta structure 0<c,2"p of type Z^^-p for Jzfj? p . Then 
(a u ®q q <C) ue z 2Vp is the theta null point defined by the theta structure Qc,2"p- 
As _£f c p is by hypothesis a symmetric line bundle, by [BL041 Lem.4.6.2], there 
exists acei c [2]n K(Jg£ p ) such that ^(j^f p ) ~ Jf 2> , where ^f 2 " p is the 
canonical bundle associate to the decomposition provided by the matrix period 
n (see [BL041 Lem.3.1.1]). 

The line bundle £££ p comes with a symmetric theta structure 0o defined by 
the decomposition associated to f2 and the element £ AT(Jz? 2 p ) (see |BL041 
Lem.6.6.5]). The theta null point for the theta structure Oq is 



2 , p [OK0,l/(2^).fi))„ 



ez 2 



by [BL041 Prop.6.7.1]. 

As c £ K(Jf£ p ), we have an isomorphism of theta groups C : ^(-5?c P ) ~~ * 
^(^ 2 " p ) defined by (((y,ip y )) = (y,^ o ^ o rZ 1 *) where t y denotes the 
translation by y. Note that this isomorphism induces the identity on K(££ c p ) = 

The isomorphism Qq o £ : ^(jSf c p ) — > TL{Z2" P ) is a theta structure for 
^(-£?C p ). Denote by 9q the morphism if (jSf c p ) — » x Z2^ p deduced from 
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6o- By definition of £, the theta null point for the theta structure Qq o £ is 
deduced from the theta null point for G>o by acting upon it with 80(c) (for 
a definition of this action see |Mum66[ pp.297]) so that it can be written as 
(Xi(u)e [ U+ V] (z,l/(2»p).n)) ueZ2Vp wheree (c) = (5 uX i) € Z 2 , p x £ 2 „ p . 

As Gc,2"p and Oo o ( are two symmetric theta structures of p which 
induce the same symplectic isomorphism Oo, they are defined up to a transla- 
tion by an element c in A c [2] by [BL041 Prop. 6. 9. 4]. Let (<5 2 ,X2) = ©o(co), 
a theta null point for Jzf c p with the theta structure ©c,2"p is given modulo 
multiplication by a factor independent of u by 

(Xi(u)x2(u)6 2 » p [ u+s 1+ s 2 ] (z,l/(2 v p).fL)) ueZ2 „ p . 

We remark that xi, X2 an d X are charaters of order 2 of Z 2 v p . We conclude the 
proof by setting 8 = 5\ + S 2 and x — Xi-X2- d 

Lemma 2.10. Let F be the Frobenius morphism acting on A^ q and let 7Ti, . . . , ir g 
be the Eigenvalues of the i-adic representation pt{F) which are units modulo p. 
Let n = log p (g). For all e±, e 2 £ Z 2 , we have 

fl 2 [£]((), 2".H) 2 

e 2 [i\){Q,2^nf 7ri ""' 7V 

Proof. Let A' z be the quotient of A% q by Ki(JC z P )[2 V ] the maximal 2^-torsion 
subgroup of K\. As Ki(Jif^ p )[2 u ] is an isotropic subgroup of JT(jSfg p ) for the 
commutator pairing, the line bundle Jz?^ P descends to a line bundle Jz?^ P on 
which comes with a Lagrangian decomposition K{J£%) — K\{^^) x K 2 (Jz?j P ) 
and a theta structure Q' p of type Z p inherited from 62^ by |Mum66[ Prop. 2]. 

We remark that A% being the quotient of Aj Jq by an etale subgroup is a 
canonical lift of its special fiber A^ . As before, we can consider A' c = A'^ ®^ C 
and we have an isomorphism of analytic varieties f : A' c — » A' an = <C 9 / ' K 2 ^q,. 
Let k' : C 9 — > A' c be the canonical projection. By the choice we have made 
on f2, the p— torsion points of A' an given by k'(1/p.Z 9 ) correspond via to a 
canonical lift of the maximal etale quotient of A' z [p] . 

We can then consider the analytic variety A'" n = C 9 /A p ™ 2 vQ. The inclusion 
of lattices A p n 2 "n C A 2 »n gives an isogeny 1 : A'™„ — > A' an . Using exactly the 
same proof as in [Rit03[ pp.78], one obtains that t is a lift of the Frobenius 
morphism acting on A' k , that A'™ n and A' an are two representatives of the same 
class element of M g /T g (p). Moreover, for all ei, e 2 G Z 2 we have 

e 2 [% ] (0, 2»nf = (m... n g )9 2 [ % ] (0, 2 V-") 2 , 

where 7Ti , . . . , ir g are the g Eigenvalues of the ^-adic representation of the Frobe- 
nius morphism acting on A' ¥ which are units modulo p. 

The hypothesis that Q 2 ^ is defined over 7L q implies that K\{J£^ p )[2"] is 
defined over ¥ q . As a consequence, the two abelian varieties A$ g and A' ¥ are 
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F g -isogeneous and, using a theorem of Tate |Tat66j , we deduce immediately that 
they have the same characteristic polynomial of the Frobenius morphism. □ 

pj . For each \ G Z%v v character of 



;§](o,(27 P ).n). 



Lemma 2.11. Let 7 : Z<p — » .Z^p, j 
order 2, there exists e E Z 2 such that 

E x(7W)^[ T w](0.1/(2^).fl) 
We Ziawe a/so: 

E 12] (0, l/(2».^) = [8] (o,2>fi). 

Proo/. For I e N*, a,b e Zi and fi G H s , we put: 

/„ = 0i[ a / , ](z«,i.n o ) 
ffb = ^ [$] (^r^Qo) 



Then we have the following formula (see |Mum83[ pp.124]): 

fa 



exp(-27rj— )g b . 

aez, 



(8) 



Let x G ^2"p be a character of order 2 and let e 6 Z 2 be such that for all 
u G Z 2 "p, we have x(m) = exp(— nieu). The lemma is obtained by applying 
formula ([8} with Z = 2", SIq = P^ an d then with I = 2^p and f2o = fi. □ 



We are ready to prove Proposition 12.81 Let 7' : Z 2 — > Z 2 "p, j 1— ► 2 v-1 p < 7. 
By applying successively Lemma 12.91 and Lemma 12.111 we obtain that for an 
element 5 6 Z2 and x G ^2"p a character of order 2 we have 



ez 2 



ez 2 









11+7' (<5) 


(0 > l/(2».fi) 




x'(u)e 2 „ p 




u+y'{6) 

["J (0,1/ 


(o,i/(2" P ).n) 

'(2"p).fi) 



E tte ^,x , («)^p[2](o,i/(2" P ).n) 
e a [§](o,(27p).n) 



ftj[g](o,(2" P ).n) ' 

where x'( w ) = u+7'(J) and e is chosen such that for all u £ ^2"p we have x'( u ) 
exp(— nieu). The second equality is due to the fact that Aeicfl Ki(J&c)- 
On the other side we have 



? 2 [g](o,(27p).n) 
fe[S](o,2"p.n) 



7Ti . . 



fl 2 [g](o,(27p").n) 

2 [S](O,2"p".fi) 

fl 2 [g](o,2^) 
a [o](o,2"p».n) 
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by Lemma \2. 101 



3 Description of the algorithm 

In this section we explain how to use the formulas given in Section [5] in order 
to count points on the Jacobian of a generic ordinary hyperelliptic curve over 
a finite field of odd characteristic. Assume that we have chosen a prime p > 2 
and an integer g > 1. 

Theorem 3.1. Let C be an hyperelliptic curve of genus g with all Weierstrass 
points rational over a finite field ¥ q of characteristic p such that the Jacobian 
J(C) is ordinary and absolutely simple. Let v be an integer greater or equal 3, 
we suppose that the 2 V -torsion of J{C) is defined over ¥ q . The algorithm for 
the computation of the number of ¥ q -rational points ffC(¥ q ) of the curve C , 
that we give in the following, has asymptotic time complexity 0{n 2+0 ^) and 
asymptotic space complexity 0(n 2 ) where n = log(#F g ). 

From Theorem 13. 11 we deduce 

Corollary 3.2. Let C be an hyperelliptic curve of genus g over a finite field 
¥ q of characteristic p such that the Jacobian J(C) is ordinary and absolutely 
simple. There exists an algorithm to compute the number of ¥ q -rational points 
#C(F g ) of the curve C which has asymptotic time complexity 0{n 2+ °^) and 
asymptotic space complexity 0(n 2 ) where n — log(#F g ). 

Proof. Let v be an integer greater or equal 3. Let ¥ ' q r be an extension of ¥ q 
and consider C'w qr the curve obtained from C by doing a base field extension 
from ¥ q to ¥ q r . We suppose that r is chosen such that the 2 l/ -torsion points of 
J(Cf qr ) are defined over ¥ q r . Using a rational expression of the group law on 
J(C), we see that there exists a bound on r which is independent of the choice 
of C when g is fixed. 

Applying Theorem l3.1l we obtain in time O(n 2+0 ^) the characteristic poly- 
nomial xf> of the g r -Frobenius morphism F'. Let a^,...,a'2 g be the roots 
of xf 1 ■ On the other side, let a\, . . . , ui g be the roots of xf the characteristic 
polynomial of the q-Frobenius acting on C. We have by |Sti93j Theorem V.1.15, 
oi\ = oti. By computing the roots . . . , a' 2g and taking their r th root, we ob- 
tain a finite set of possible roots for xf up to permutation of the indices. In 
order to finish the proof, we just have to remark that all the above computations 
for a fixed genus have constant complexity with respect to log(g). Moreover, it 
is possible to check the result of the computations in quasi-quadratic time by 
taking a point P of J(C) and computing X.P where A is the supposed group 
order of J(C). □ 

We remark that the existence of such a quasi-quadratic time algorithm in 
the special case p — 2 is proved in [LD06] . In the following we give an algorithm 
which is expected to have the desired properties. In the case that we take v = 1 
in the statement of Theorem 13.11 we have verified that the correctness of the 
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algorithm still holds by counting points on many examples of elliptic curves 
in characteristic 3 and 5 and on some genus 2 curves in characteristic 3. Our 
algorithm follows the so-called lift and norm paradigm which was introduced by 
Satoh in SatOO]. The algorithm is as follows. 

We assume that the hyperelliptic curve C is given by an equation of the form 

2g+2 

i=i 

where otl € ¥ q . 

Initialization phase: Let J(C) be the Jacobian of C . The aim of this first 
phase is to compute the theta null point associated to a semi-canonical product 
theta structure 02" P = 62" x ©p for p (compare Section [2~Tj) where ££ is a 
degree 1 symmetric ample line bundle on J(C). 

This can be done in the following way. First compute the theta null point 
associated to a theta structure 82 of type Z 2 for Jz? 2 . By considering any lift 
C of C over VF(F g ) defined by lifts <Xi of 57 over Z 9 and a given embedding 
%j) : Z q — » C one can view the Jacobian J(C) of the lifted curve C as a complex 
abelian variety. One can consider a symplectic basis of H\(C,1) given by bi- 
cycles and i?-cycles as described in [Mum84j . The associated period matrix £1 
of J(C) is an element of M g , the <?-dimcnsional Siegel upper half plane. For 
£1,62 <E N and I £ N*, we denote by 9i [ll] (z,f2) the Riemann theta function 
with rational characteristic given by ([6"]). 

According to MU1H83, pp.124] a theta null point associated to a well chosen 
theta structure of the second power of the degree 1 canonical line bundle defined 
by f2 is given by {a u ) ue z 2 with 

a u = A0 2 [2](O,l/2fi), 

where A <E C*. This theta null point, which correspond to the case v = 1, can 
be computed in two steps. 

Step 1. For i = 1 . . .g, let n be the vector (Ti,j)j^{i,... t g} such that Tjj = if 
j < i and Tjj = 1 if i > i. Using the Thomae-Fay formulas |Mum841 pp.121], 
we compute 



01 [«] (0, SI) 2 = ± Yl ( a 2i+e t - a 2 j+e J ){a2i+l-e, - U 2 j+l- ej ), 

V 0<i<J<D 

where eo = and the vector (ej)i = i,.. s € F2 is given by (e^) = u + Y^t=i V i- T ii 
for i = 1, . . . ,g, where v = (vi) S F|. Here we choose the sign of the square root 
at random. 
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Step 2. Case v = 1. We proceed to a reverse duplication step which can be 
done according to the Riemann duplication formulas Fay73| by finding (a u ) u ^z 2 
such that 

v£Z 2 

This algebraic system may be solved by using the Groebner basis algorithm and 
by picking up any solution. We check that we obtain a valid theta null point 
by computing the associated 4-theta null point and verify that it satisfies the 
level-4 Riemann type equations (compare with Section [2~2jl . If this is not the 
case, we go back to Step one and choose different signs for the square roots. 

Let Sp(2g,Z) be the group of symplectic matrices acting on M g . Denote by 
T 2 the subgroup of Sp(2g, Z) consisting of the elements 7 € Sp(2g, Z) such that 
7 = I 2g mod 2 where I 2g is the identity matrix of dimension 2g. The resulting 
theta null point {a u ) ue z 2 has the property that if we raise to the fourth power 
the coordinates of its image by the Riemann duplication formula, we recover the 
values deduced from the ramification points cti of C by the Thomae formulas. 
According to [M um84| pp.3. 131] this means that {a u )u£Z 2 is the theta null point 
associated to the second power of a degree one symmetric ample line bundle 
defined by f2' where ft' = 7. for an element 7 G F2. 

As all the computations described in this paragraph are algebraic, they can 
be made directly in Z g using the embedding ip, and even in ¥ q as C has good 
reduction modulo p. This procedure gives the computation of a theta null point 
(o<u)u<ez 2 for a symmetric theta structure O2 associated to the second power of 
a degree 1 ample symmetric line bundle Jz? on J(C). It should be noted that 
we have to assume that 02 is rational over ¥ q in order to have that a u G ¥ q , for 
u G Z 2 . 

Now, we describe a variation of Step 2 to cover the case v > 1. 

Step 2'. Case v > 1. From the knowledge of 9\ [£] (0, fl), we proceed to two 
reverse duplication steps which can be done by finding successively for i = 1,2, 
u,v G Z 2 , 2 [u] (0, (l/2 4 )^) such that 

e 2 [i] (0, = ^E i- 1 )^ [«+*] (°< (i/2*m [°] (0, (i/2*)n). 

t£Z 2 

This algebraic system can easily be solved by using the Groebner basis algorithm 
and by picking up any suitable solution, we obtain 9 2 ["] (0, (1/4). fi). If v G Z 2 , 
denote by v the element of Z 2 defined by v : Z 2 — > { — 1, 1} G Z, z = (zi) 1— > 
(_l)£2=i*i«*. 

On the other side, we have Z 2 ~ Zi/Z 2 and let cf> : Z 2 Z^jZ 2 —* Z4 be a 
section of the canonical projection. Let (6 u ) u g^ 4 be defined such that 

2 m (o, (i/4).fi) = £ 
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where Z 2 is considered as a subgroup of Z 4 via j i— > 2j. We can compute 
(b u )ueZ4 from the knowledge of 64 ["] (0, fi) by solving a linear system of fixed 
size. 

We know (Mum661 pp.334], that (b u ) u& z 4 is the theta null point of J(C) 
associated to a symmetric theta structure of type Z4. Now, plugging (&u) tt eZ4 
into the relations given of the Riemann equations of level 2 V (compare with 
Section [2~2]) together with the symmetric relations, we know by MumJ?, pp.87] 
that the so obtained system admits a unique solution (a u )«ez 2 </ which may 
easily be computed using a Groebner basis algorithm. 

Step 3. In the following we explain how to compute a level 2"p-theta null 
point from the above 2^-theta null point. We use the notation of Section |2~51 
Let / be the ideal of the multivariate polynomial ring ¥ q [x u \u £ Ziv v \ which is 
spanned by the relations of Theorem 12.61 together with the symmetry relations 
a u = a_„ for u £ Z^ v - We find v £ Z2 such that a v is a unit. Let J be the 
image of / under the evaluation map 



If we chose an order on the set of the remaining variables x u , u £ Z-2» v \ Z^y , it 
defines a well-ordered lexicographic monomial basis on J. One can compute a 
reduced Groebner basis for J with respect to this monomial order. By Theorem 
12.71 the closed subscheme of Spec(F g [x„|u £ Z%u p ,2 v u ^ 0]) defined by J is of 
dimension 0. The last polynomial of this reduced Groebner basis is a univariate 
polynomial f{x) £ ¥ q [x] and by BMMT94 , we gencrically have 



where the degree of / is uniformly bounded by a function of g and p which 
is constant with respect to the complexity parameter \og p (q). According to 
Proposition 12.71 one can pick up a solution {a u ) ue z 2 » p corresponding to the 
root of / with multiplicity p 9 . 

Lift phase Let [a u ) u ^z^ v with a u £ ¥ q the null point obtained from the 
initialization phase. Let TZ be the set of polynomials in r L q [x u ,y u \u £ Z^p] de- 
duced from the relations of Theorem l2.1l and Theorem l2.6[ where in the Riemann 

type relations a u is replaced by y u for all u £ ^2"p, and in the Frobenius type 

2 

relations, a u and are replaced by x u and y u , respectively, for all u £ Z^p. 
We put xq = 2/0 = 1 and use the symmetry relations in order to obtain a set of 
multivariate polynomials depending on l/2[(2 I/ p) 9 — 2 vg ] + 2 ug — 1 variables x u 
and a subset of the same cardinality of the coordinates y u . 



Pick up any subset 1 /2[(2"p)s - 2"°] +2^-1 /2[g(g+l)] - 1 of Riemann type 
equations and l/2[g(g + 1)] Frobenius type equations to form an application 



¥ q [x u \u £ Z-2" 



p. 




¥ q [x u \u £ Z 2 , p Xu # 0]/J ~ ¥ q [x]/{f) 1 




(p»+i)-i 
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For a suitable choice of the Riemann and Frobenius equations, the conditions 
of |LD06[ Th.2] are satisfied and one can use the lifting algorithm given ibid in 
order to lift in a canonical way the theta null point (a u ) u ez 2 i> to obtain the 
canonical theta null point {bu)uez 2 u of the canonical lift with b u £ Z q . 



Norm phase We use the notation of Section 12.41 By Proposition 12.81 one 
computes the product of the Eigenvalues m , . . . , ~ki of the absolute g-Frobenius 
morphism F, which are units modulo p, as 



""I 



ez 2 



y 



ez 2 



Reconstruction phase The problem here is to be able to recover \f where 
from the knowledge of A = 7Ti . . . tt 9 computed up to a certain precision m. If 
the genus g of C is one, then xf is immediately computed from tti. In the case 
that the curve C has genus 2 one can use the formulas described in |Rit03j . 

From now on, we suppose that g > 2. Following [Rit03, LD06], one can use 
the LLL algorithm in order to recover the symmetric polynomial of C considered 
as a curve over ¥ q that we denote by P sym - By definition, the symmetric 
polynomial of C is the unitary degree 2 9 ~ 1 polynomial whose roots are x + 
q 9 jx where x runs over all products of g terms taken successively in the pairs 
{tti, q/iri}, ■ ■ ■ , q/"Kg\. It is easy to see that P sym is a polynomial with 
coefficients in Z and that there exists a quick algorithm, at least when \f 
is irreducible, to compute xf(±JT) from the knowledge of P sym (see [Rit 



By [Tat 6 6 , \f is irreducible when the Jacobian of C is absolutely simple, and 
this last condition is generic. A last check on the curve allows us to obtain 
Xf- We explicitly determine bounds on the precision m needed when the genus 
increases. 

The computation of P sym from r\ = A + q 9 /A, can be done by LLL reducing 
the lattice whose basis vectors are given by the columns of the following matrix: 



T x M 





T x Mi 





p 

where 

[■Wi]»=0,...,2«- 1 

and 

[<S';]i=o,...,2 ! ,- 1 +i = 



p 

LraxSoJ 



L«xS 2 J 




T x M 23 -i +1 Txp" 



P 



|nxS 2S _i + 1 J 








p (2S l - 1 - i > v i mod 2 m | i G {0, . . . , 2 9 - 1 - 1} 

Ufr? 2 ^ 1 mod 2 m ]. 



"(*-!)(<? -2) 



i e {O,...^ 9 - 1 - 1} 



u 



-22-i( 5 -2) 
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where T is some arbitrarily large constant. The power of p appearing in the Mj 
are meant to take into account the valuation of the coefficients of P sym while the 
Si offset the difference between the modulus of the coefficients of P sym - This 
matrix can be used as long as 2 9 < n. 

The coefficients of P sym are components of a vector II of small norm in 
C Asymptotic estimates state that a lattice reduction using the LLL algo- 
rithm [LLL821 [Cop97| can compute it if its euclidean norm || || 2 (or sup- norm 
|| ||i) satisfy ||n||i ^ ||n|| 2 «S dct(£) 1 / dim£ . Since we can evaluate, on the first 
hand, the norm 1 1 | |i of II as a function of n and g using the Riemann hypothesis 
for curves and, on the other hand, the determinant of £ as a function of m, g 
and the size of T (product of the elements on diagonal), this yields 



m > n 



ln(2) 



From the knowledge of the roots of P sym , it is possible to recover the set 
{nf, i — 1 . . . g} |Rit03[ pp.119] where the iti are the roots of xf which are units 
modulo p. In the case that xf is irreducible, we immediately deduce Xf from 
the knowledge of its roots. In order to remove the sign ambiguity it remains to 
determine whether the order of the Jacobian is Xf(1) or xf(~1) by multiplying 
points with possible group orders. 



4 Complexity analysis 

In this section, we give a complexity analysis of the previously described algo- 
rithm. 

Initialisation phase The dominant complexity for this phase is the Groebner 
basis computation of Step 3. Let J be as in Section [2TB1 

Let D be the degree of the ideal J. According to |Laz81| . the computation 
of a Groebner basis with respect to a lexicographic monomial order can be done 
by doing a Gaussian elimination on a matrix of dimension given by the number 
of monomials of degree D. The theorem of Bezout gives a bound on D which 
is the product of the degrees of the polynomials generating the ideal J. As the 
number of polynomial relations defined by Theorem 12.61 depends only on g and 
p and the degree of these relations is constant, D is fixed as long as g and p 
are. This means that the Groebner basis can be computed by doing a Gaussian 
elimination on a matrix of fixed dimension whose coefficients are in ¥ q . This 
requires (9(n M ) time operations where n and /j, have been defined at the end of 
the introduction. 

We remark that |Laz83j gives a much finner bound on the degree of the 
Groebner basis if one chooses for the monomial order of J a graded reverse lexi- 
cographic order. As a consequence, one should better first compute a Groebner 
basis of J for a graded reverse lexicographic order and then use the FGLM al- 
gorithm in order to perform the change of order towards a lexicographic order. 
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Lift phase In the case that the base field admits a Gaussian Normal Basis 
one can lift in time 0(log(n)m M n M ) using the algorithm LL03J. In the general 
case, one can use the algorithm of Harley which is in 0(\og(m)m^n tl ) time 
complexity jCFA+06l pp.254]. 

Norm phase In the case that the base field admits a Gaussian Normal Basis 
of type t, H. Y. Kim et al. described an algorithm of the type "divide and 
conquer" in order to compute such a norm. This algorithm has time complexity 
Q(log(n)m fi n A '). For the general case, one can use the algorithm described in 
[CFA + 06l pp.263] in order to compute the norm in time 0(log(n)m M ?i M ). 

Reconstruction phase For fixed genus, the LLL step consists in applying 
LLL to a lattice of fixed dimension. Its complexity is the size of the coefficients 
of the matrix times the cost for one integer multiplication. This yields, with 
asymptotically fast algorithms for multiplying integers, a 0(m 1+AI ) complexity 
in time. The cost of the second step is determined by the computation of roots 
of polynomials over C p and requires 0[m^). Finally, checking that the order 
of the Jacobian is %j?(±l) needs 0(m) applications of the group law, that is to 
say a complexity in time equal to 0(mn M ) with Cantor formulas |Can87j . 

5 A finiteness theorem 

This section is devoted to the proof of Proposition ^. 71 In Section |2~21 we recall 
several equivalent presentations of the Riemann equations which are used in the 
course of the proof given in Section 15.21 

We first fix some notations. Let A be an abelian variety over a field k and 
Jz? be an ample symmetric line bundle over A. Let Qi be a theta structure for 
Jz? of type Zt, Let (0f e )i e z e be a basis of the global sections of Jz? determined 
by the theta structure Qe and let a; be a closed point of A. Denote by Ga the 
structure sheaf of A and let p : G a,x ~~ > fc' be the evaluation morphism onto the 
residual field k' of x. We can choose an isomorphism £ x : Jzf K ~ & a,x- For all 
i G Zi the evaluation of the section 6f e in x is 

6? i (x,t;x) = P°Ue?>)- (9) 

The resulting projective point that we denote by (9~ 1 (x))i^z e over k does not 
depend on the choice of the isomorphism £ x . 

5.1 Riemann's equations revisited 

Let Abe a, g dimensional ordinary abelian variety over a finite field ¥ q of char- 
acteristic p > 2. Let Jz? be an ample symmetric degree 1 line bundle on A. Let 
v > be an integer and I be an odd prime number which can be equal to p. 
Assume that we are given a symmetric theta structure of type Z^i for the 
line bundle Jz? 2 ^^. The data of Gv^ defines a basis of global sections of Jz? 2 "^ 
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that we denote by (O u )u£Z 2 v e an d as a consequence, a projective embedding of 
A in PC) 8 - 1 . 

We denote the theta null point with respect to the theta structure 02^£ by 
{0"u)u£Z 2 v c The Riemann's equations for level 1 v l are given by the following 
theorem 

Theorem 5.1. For all x, y,u,v € Z 2 v+ig which are congruent modulo Zwt, and 
all I 6 Z%, we have 

( E l{t)9x+ y +t * 9x-y+t)-( E l(t)a u +v+ta u -v+t) = 
t&z 2 tez 2 

= ( E l(t)0 x+u+t * O x -u+t)-( E l(t) a v+v+ta y -v+t) ■ (10) 
tez 2 *ez 2 

Proof. By [Mum66j[pp. 339], for all x,y £ Z 2 ^+i£ such that x + y € ^2"£ and 
for all ( £ Z2, we have 

^ l(t)6x+y+t * dx-y+t = ( E «(*)-Oy+t)-( 2 *(*)•*«+*)• (11) 

tez 2 *6Z 2 tez 2 

In particular, we have, 

^2 l(t)a x +y+t-a<x-y+t — 

(E «(*)•%+*)•( E^) 

■Q-x+t )■ (12) 

tez 2 tez 2 tez 2 

Now, using (fTTjl and (fT2|) the left hand side of (fTD|) can be written as 

[( e «(*)•%+*).( E K*)-»x+t)] [( E E i(*).o.+0]. (13) 

tez 2 *ez 2 tez 2 tez 2 

In the same manner the right hand side of (|10p can be written as 

[( J2 i(*)-o«+t).( E K*)-k+t)] t( E E '(*)-°»+0]- ( 14 ) 

tez 2 *gz 2 tez 2 tez 2 

Obviously, (0 and (JUJ) are equal. □ 

In the following, we suppose that k is the field of definition of (a u ) ue z 2 , yf . 
In this section, we denote by I& 2 „ e the ideal of fc[x„|u G generated by 

the relations of Theorem 15.11 where the 9 U are replaced by x u . It is proved in 
|Mum66[ §4] that if v > 2 and I ^ p, A is isomorphic to the closed projective 

(2 U £) 9 — 1 

sub- variety of Pjj. defined by the homogeneous ideal I& 2ve . 

We recover Theorem 12 . 6 1 from Theorem 15. 1[ by evaluating at the point O of 
A the sections of Jz? 2 . The relations of Theorem 12.61 can be reformulated, by 
considering the matrix 

1 1 1\ 

1 -1 -1 
-11-1' 

-1-1 1/ 



M 



(\ 
1 
1 

V 1 
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and (xi,yi,ui,vi), (x 2 , 2/2, "2, «a) 6 (^2"£) 4 such that 





/x 2 ^ 






2 


2/2 


= M 


2/1 




«2 








w 




w 



If we suppose moreover that x 2 + 2/2 £ IZ^i and u 2 + u 2 E 2Z 2 >'£, we have 

( ^2 K^xt+tay^t) •( /(^a^i+ta^+t) = (15) 

(16) 



tez 2 *ez 2 

= ( ^ '(0 a ai2+t a y2+i)-( l{t) a u 2 +t a v 2 +t) , 
tez 2 tez 2 



lez 2 . 

By developing and summing up over all the characters of Z 2 the Equation 
(fT5"|) , we obtain 

O'X+tO-y+tO'U+tO'V+t = Oa;- T +taj/+T+ta«+r+iai>+r+i, (17) 

tez 2 tez 2 

for all y,u,v £ Z 2 "£ and r 6 Z 2 ^ such that 2t = x — y — u — v. 

These relations can also be presented in their classical form. For this, we 
keep the notations of the previous paragraph and suppose from here that v > 
2. Recall that {a u ) u£ z 2 ^ t denote the theta null point defined by the theta 
structure 2 ^. Let Hi»i — Zi"i x Z 2 i/-i an d for all x = (x',x") £ H 2 »g, 
let b x = YlteZ „_i x"(t)a x ' +t . Let ff 2 = \Z 2 X {Z 2 "i)i = e i7 2 ^|a;is2 - 
torsion modulo Z 2 X {0}}. 

Theorem 5.2. Lei (x,y,u,v) € iJ 2 ^ cm<i r = (r',r") 6 i/ 2 ^ smc/i i/ia£ 2r = 
x — y — u — v then 

b x b y b u b v = — A(2t')b x - T+t by+T+tb u +T+tbv+T+t, 

t£H 2 

where t = (t, t") and A = t" + t" . 

Proof. It is possible to deduce these relations from (flTf following exactly the 
same computations as |Mum66| pp. 334]. □ 

Let (0 u )u£Z 2 v denote the basis of global sections of Jz? 2 defined by the 
theta structure 6 2 ^. Let H 2 » = Z 2 » X Z 2 ^-i and H 2 = ~Z 2 x iZ 2 ») 2 . For all 
x = (x',x") € H 2 », set tf x = Y,tez 2V ^ 1 x"(t)9 x > +t . We have the 

Theorem 5.3. Let P, Q be two closed points of A. Denote by & a the structure 
sheaf of A. For X G {P, Q, P + Q, P — Q, 0}, we choose isomorphisms £x '■ 
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Jz?j| ~ &a.x- Let (x,y,u,v) G i?2" and r = (r',r") 6 such that 2r = 
x — y — u — v, we have 

MP + Q, Zp+q)M p ~ 0- £p-qR(0, &)^(0, Co) = 

= A ^ E ^(^')^-r +t (^^p)Vr+ t (^^p)^u + r +t (Q,eQ)^+r +t (Q,CQ), 

teff 2 

where t — (t',t"), A = t" + i" and A G fc is independent of the choice of 
(x,y,u,v) G H 2 ». 

If fe = C, this last formula is exactly |il gu72[ pp.141]. 
5.2 Proof of Theorem 12771 

In this section, we denote by F ? a finite field of characteristic p > 2 with o 
elements. Let A be an ordinary abelian variety over ¥ q and let Jzf be an ample 
symmetric line bundle of degree 1 on A. Let I be an odd prime number and 
suppose that we are given a theta structure Q 2 » for -S? 2 ■ We denote the theta 
null point with respect to the theta structure 02" by (a u ) U £z 2 v . We suppose 
that (a u ) u gz 2> is defined over F g . 

In the following Z 2 f is considered as a subgroup of Z%u^ via the map j i— > 
Let / be the ideal of the multivariate polynomial ring F g [x u |u G ^2"^] which 
is spanned by the relations of Theorem 12.61 taken modulo p, together with the 
symmetry relations x u = X- U for all u G Z^i- Let J be the image of / under 
the specialization map 

F g [a;„|w G Z 2 "i] — > ¥ q [x u \u e Z 2 »i,2 v u ^ 0], x u i-> 

We want to prove that if v > 2, the ideal J defines a O-dimensional affine 
algebraic set. 

Remark 5.4. In the case that v > 3 and £ is prime to p, the preceding theorem 
can be proved using the general description of the moduli space of abelian vari- 
eties with a theta marking given in [Mumdl]. But this general description is 
not available under the hypothesis that we consider. It should also be remarked 
that the variety defined by J when £ is equal to the characteristic of ¥ q is singu- 
lar so that it is not possible to lift to the p-adics to recover the situation where 
£ is different from p. In the following we present a proof which is valid both in 
the situation where £ is equal to or different from the characteristic of ¥ q . 

Denote by J' the ideal of ¥ q [x u \u G Z^e\ generated by J and elements 
Xu — Q>u f° r a ll u G Z 2 u, Denote by Vj> the closed sub- variety of the affine 
space of dimension (2 V £) 9 , A^ 2 "^ 9 defined by J'. We want to show that Vj> is 
a O-dimensional variety. 

We recall that the data of 02" gives a basis (9 u ) U £z 2 v of the global sections 
of _Sf 2 on A and as a consequence an embedding of A in P 2 , 9 ~~ 1 . If we denote 



j a u , u G Z 2 v 
\ x u , else 
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by Vi e the projective variety defined by the homogeneous ideal , A is 
isomorphic to Vj e v as an abelian variety |Mum661 §4]. 

The idea of the proof of the Theorem 12.71 is to interpret the solutions of J' 
as closed points in the variety A = Vi B and then to show that these points 
are £-torsion points of A. This is exactly the content of Lemma l5.5l and Lemma 
PI 

Let 7r : Z 2 » x Z^ — > Z 2 v£ and tt' : Z 2 v+i x Zi — > Z^+n be the isomorphisms 
deduced from the Chinese reminder theorem. 

Lemma 5.5. Suppose that (c v ) V £z 2 v e is a closed point ofVj>. For any i £ Zi 
let Pi be the closed point o/P 2 _1 with homogeneous coordinates {c 7! (k,i))kez 2 u ■ 
For all i £ Zj>, Pi is a closed point of Vi e ■ 

Proof. It is enough to verify that for all % £ Zi, {cn(k,i))kez 2V satisfy the equa- 
tions provided by the elements of Iq 2 „ . For i = this is an immediate con- 
sequence of the hypothesis that (ak)kez 2 f is the theta null point associated to 
02* and that by definition of J', = c^/^m for all k G Z 2 ». 

Let x, y,u,v G Z 2 „+i which are congruent modulo Z 2v . For any i G Zi — {0}, 
we remark that ir(x, i),ir(y, 0),7r(it, 0),7r(i;, 0) G Z 2v +i£ are congruent modulo 
Z 2 "i- By definition of / and the relations of Theorem 12.61 {c n (k,i))kez-,u satisfy 
the relation 

( Ht) c ir(x+y : i)+t C TT{x-y,i)+t) •( l{t) C TT(u+v,0)+tC 7T (u-v,0)+t) 

'■ 7 t£Z 2 

)-(E'(*) 

tez 2 tez 2 
for all I £ Z 2 . 

Taking care of the fact that c^r^fi) = °fe f° r ai l & £ %2' y , we deduce that 
the point with homogeneous coordinates (cir(k,i))kez 2 v satisfy all the relations 
of Theorem 15.11 and as a consequence is a closed point of Vi g ■ □ 

Let (c„)„gz 2 „ ( be a closed point of Vj>. Applying Lemma 1531 we denote by 
Pi the closed point of Vfe 2 „ with homogeneous coordinates (c 7r ^ i))kez 2 ^ ■ 

Lemma 5.6. The closed point Pi is a t-torsion point of A. Moreover the 
application cj> from the set of geometric points of Vj> to (F g ) defined by <p : 

2 W £ £ 

¥ q F g; i c j)jez 2 , e >-> (c 7r ( fc ,i))fcez 2 " is injective. 

Proof. We are going to prove inductively on i £ 1, ...I that on the abelian 
variety Vr e the point i.P\ is equal to the point P,-. Applying this result for 
i = I, we obtain that £Pi = P( = Pq and Po is the point of A which means 
that Pi is a ^-torsion point of A. 

The induction hypothesis is clear for i = 1. Let (^ u ) H ez 2 » be the basis of 
global section of Jz? 2 defined by 02" ■ We suppose that for all 1 < j < i— 1, there 
exists an isomorphism ^,j.p 1 : -^fp — &A,j.Pi such that (9k(j-Pi, Cj.Pi))fce2 2 " = 
( c Tr(k.j))kez 2 v ■ We have to prove that there exists an isomorphism ^j.Pj : J^ 2 p — 
^.4,i.p, such that (^(i-Pi,Ci.Pi))feez 2 " = ( c 7r(fc^))fcez 2 " • 
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Let H 2 " = Z 2 » x Z 2 *-i. For all x = (x',x") G H 2 », we let 

. Let (x, y, u, v) G H 2 v and r = (t', t") G fla" such that It = x — y — u — v. 
By the induction hypothesis, for - 1)P, P, (z — 2)P, 0}, we have already 

a well defined isomorphisms Jz?j| — & a,x- We choose any isomorphism £ t i.p 1 : 
«2^ 2 Pi ~ A ,i.Pi- 

By applying Theorem I5.3| we deduce a relation 

*x(«J,&p)*»((« - 2).P,C(i- 2 ).p)l?«(0,6)i? (0 ) eo) = 

= E ^(2t')^-r+ t ((i - IJJ'.^d.pIWK' - l)-P.£(i-i).p) (18) 
teff 2 

tf u+T+t (P,£pK+r+ t (P£p), 

where < = (t',t"), A = r" + t" and A G F ? docs not depend on the choice of 
{x,y,u,v) G H 2 u. 

On the other side, denote by H 2 «t — Z 2 »t x Z 2v -i . In the following we identify 
H 2 vt with the Cartesian product H 2 » x Zg. For all a; = (x',x") G P2"£, we let 
dx = J2tez 2 x"{t)c x i +t . Set xi = (ar,i)>S/i = (j/> i-2),ui = (u,0),vi = (v,Q). 
Let t G be such that 2t = x — y — u — v and ti=tx{1}g H 2 v t . We 
remark that 2t\ — x\ — y\ — u\ — v\ and by applying Theorem 15. 2\ we get a 
relation deduced from the definition of I 

(19) 

ten 2 

where t = {t',t") G H 2 . 

By the recurrence hypothesis and by the construction of the quadruples 
(xi,yi,ui,wi), we have for all t G H 2 , d Xl _ n+t = tf x _ r+t ((i - 1).P, £(i-i).p)i 

^yi+r+t = ^y+r+t((i — 1)-P> C(i-l).p)) ^tii+ri+t = $u+r+t(P) £p), ^i+n+t = 

fiv+T+t(P,t;p)- In the same way, on the left hand side of (fl9|) , we have d Vl — 
tf y ((i - 2)P,£ (i _ 2) . P ), d ui = tf„(0,£ o ) and d Wl = 0„(O,£ O ). 

There exists uo G such that tto (O, £o) 7^ 0. We can take it = u = uq in 
Equations (fT5|) and (fT!?]) and we deduce immediately that d xi = i3 x (i.P, £i.p). 
By taking all possible values of x'[ in xi = (x[, x"), we obtain that 

• for all k G Z 2 * , c^r/.^) is uniquely determined from the knowledge of c^^.j) 
for j < i — 1; 

• for all fc G ^2") c OT (fe^) = 0k(i-P,£i.p) modulo multiplication by a constant 
factor independent of k that we normalise to 1 by choosing a certain £j.p. 

□ 
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Proof. By the preceding lemma, (c n (k,i)), being the homogeneous coordinate 
of a ^-torsion point of A, can only assume a finite number of value up to a 
multiplication by a constant factor and the data of (c^f^i)) defines a unique 
solution of the system associated to J'. In order to finish the proof, we only 
have to show that J' is not a homogeneous ideal but this is something clear 
from the definition. □ 



6 Practical implementation and examples 

The proved version of the algorithm involve the resolution of algebraic systems 
which makes it not suitable for practical applications. We have implemented the 
heuristic version of the algorithm for the case of genus 1 and genus 2 [CL07] . For 
the genus 2 implementation, using a special purpose Groebner basis algorithm 
it is possible to solve easily the algebraic system of the initialisation phase. 

A genus 1 characteristic 5 example. Let F 5 s be represented by the quo- 
tient ¥ 5 [X]/(P) where P{X) = X s + X 4 + 3X 2 + AX + 2 and let u be the image 
of X in F 5 s via the above isomorphism. Let E be the ordinary elliptic curve 
given by the Weierstrass equation 

y 2 = x 3 + x 2 + 3x. 
After the initialisation phase we obtain the following six theta constants 

r x 4 ^32552 ^309244 ^211588 ^32552^ 

We consider Z 5 s given as the unramified extension of the 5-adic integers Z5 
defined by the integer polynomial X s + X 4 + 3X 2 + 4X + 2 and denote by z 
the image of X in Z 5 s. After the lift phase we get the following lifted theta 
constants to precision 5 

[1, -1460s 7 - 10s 6 - 785s 5 + 715s 4 - 555s 3 4- 420s 2 - 1035s - 1116, 
-1449s 7 - 819s 6 + 396s 5 4- 746s 4 + 1108s 3 + 648s 2 4- 546s - 1189, 
1438s 7 - 1497s 6 + 1548s 5 - 777s 4 + 354s 3 - 876z 2 + 998s + 1029, 
1449s 7 + 819s 6 - 396s 5 - 746s 4 - 1108s 3 - 648s 2 - 546s - 868, 
-1504s 7 4- 101s 6 4- 741s 5 + 591s 4 - 957s 3 - 492s 2 - 1109s - 834] 

where z is a generator 

After the norm phase we obtain 1054 as the number of rational points on E. 

A genus 2 characteristic 3 example Let F 3 2s be represented by the quotient 
¥ 3 [X}/(P) where 

P(X) = X 28 + 2X 14 + X 13 + X 12 + 2X 11 + X 10 + X 9 + X 8 + 2X 6 + 2X 4 + X 3 + 2 
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and let w be the image of X in F 5 s via this isomorphism. Let H be the ordinary 
hyperelliptic curve given by the afhnc equation 



y 2 = x6 + (™ 1 » + ™ 17 +™ 1 6 + TO ll +to 10 +ro 9 +tl ,8 +ro 7 + 2TO 5 +2m 2 +ti , )!i; 5 

+ (ii, 19 + 2„, 17 + 2™ 16 + ™ 13 + m 11 + w 10 + 2„ 8 + 2» 7 + w 6 + 2™ 4 + » + 2)x 4 

. ,~ 19 , 18 . - 17 , - 15 , 14 . „ 12 . „ ll.o 10 . 9 , 7 . „ 
4-(2ii' 4- 2u> 4- 2w + 2it; 4- 2w 4- 2m 4- 2-w 4- 2tu 4- 2tu 4- w + 2u 

+ W 5 + 2ra 4 + ™ 3 4- + l)x 3 
+ (u 1 19 + 2u, 18 + 2» 16 + 2™ 13 + „ 12 + u, 10 + 2u, 9 + » 8 + u, 6 + 2„ 2 + l)x 2 
+ („ 19 + 2u, 18 + » 17 + 2» 15 + 2» 14 + » 13 + » 12 + + 2„ 9 + 4- „6 

+ 2ii! 5 + 2iu 4 + n, 3 + 2w 2 4- 2)x 

, 19 , , 16 , 15, 14. 12 - 8 . 7. 6. 4 , , 3 , 2 
4-iu 4- 2ui 4- 11; 4- m 4-w 4- 2iy + 111 4- id 4- 11; 4- 2w 4- w 4- n; 4- 1 

First, we compute the following level 2 theta constants 

* 00 = u, 19 + ™ 18 4-2.ii, 15 4-n, 14 4-n, 12 4-2u, 10 4-™ 7 + 2u, 6 + 2u, 5 + 2u, 4 + „ 3 +„ +2 

19 . 17 . - 16 . 15 , 14 . „ 13 12 . „ 11 . „ 10 , 9 

a:Q3 = w 4- 2w 4- 2ui 4- 2ui 4- 2ui 4- 2tu + w 4- 2tu 4- 2w ' 

w 6 + 2w 5 + w 4 + n, 3 + 2w 2 + 2-w + 2 

19 , 18 , 17 16 , 15 , „ 14 . 1 
^30 = w + 2w 4- in + w 4- 2*ii 4- 2m 4- 2tu 

+ 2u, 7 + 2tu 3 4- u> 2 4- 2 

x 33 = 2n> 19 + 2u> 18 4- to 17 + 2m 15 + 2u, 13 + 2n> 12 + u> 10 + 2n> 9 + to 8 + u, 6 4- 2m 4 + 2m 3 + u, 2 + 2n> + 1 . 

After the Groebner basis step, we obtain the following list of theta constants 

n ,18, 16, 15 , Q 9 , 8. 7, 6 , 5 , 4 , Q 

= ^01 + w + w + w + 2u} + w + ™ + w + 2w + w + 2 

n . 19 . „ 17 16 , „ 15 , 14 13 , 12 11 10 , 9 , 

tu 7 + 2iu 5 + m 4 + in 3 + vj 2 + TO 4- 2 
= x 10+ 2 tu 19 + 2™ 18 + TO 17 + 2™ 14 + 2™ 13 + 2TO 12 + „ 11 + TO 10 + ro 9 + 2TO 8 
+ 2id 6 + 2u> 4 + ii! 3 + 2id 2 + 2 



+ 2id 6 + 2tu 4 + m 3 + 2id 2 + 2 

xn + 2™ 19 4- u, 18 + u, 15 + 2n. 14 + 2» 12 + 2™ 11 + 2n, 10 + 2» 9 + „ 7 + 

4-u, 4 + n, 3 + 2uj 2 4- 2id + 2 

in iq i t t a ic: 1^ i-i in in 



+ 2tu 10 + 2u> 9 4- 1 



= 




+ 2ni 9 + 2uj 7 + u, 6 + n, 5 + 2id 4 + ii, 3 4- : 



After the norm phase, we obtain as a product of the Eigenvalues of the Frobe- 
nius morphism which are units modulo 3 the number 

202395421016914130938488532 
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to precision 56. From here, we can recover the polynomial \f which is 

Xf{X) - X 4 + 19612JC 3 - 4108934426JT 2 + 68382815672412X + 12157665459056928801. 



Conclusion 

We have given an algorithm with quasi-quadratic time and quadratic space 
complexity with respect to the size of the base field to compute the number of 
points of a hyperelliptic curve whose Jacobian is ordinary and absolutely simple. 

In fact, we have given two versions of our algorithm, one with proved com- 
plexity bound and a bad practical behaviour and a heuristic one which behaves 
very well in practice. 
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